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(57) ABSTRACT 

A system for sec u re data stora ge, exchange an d/or shari ng 
through^ pro tected central storage facility , containing at 
least one "network vault" to which access is controll ed 
t hrough a single data access chaimel. The network vault i s 
sLmilar to a ptiysicai sale, in that substantiillv f>,ny *yp^ "f 
i nformatio n can be stored in the network vault, and in_t hat 
the user need only place the information inade the network 
vault for the infor mation to be s ecured . Thus, the system _o f 
t he present invention combines the flexibility of data storage 
and retrieval through a network, w ith the security of con - 
tr olled access for data storage and retrieval at a fixe d 
physical location. The restriction of data access through a 
single data access chaimel greatly simplifies the task of 
protecting access to the data, since only this single channel 
must be monitored for unauthorized access, rather than 
monitoring many such channels (or interfaces). Also, the 
present invention enables data to be exc han^ed ^ between two 
u sers and/or netw orks which do not trust each other, again 
by only pcnnittmg access to the stored data through the 
single data access channel, rather than by attempting to filter 
communication between the two parties. Thus, the present 
invention is able to provide security without declarations , 
^ce th e data is moved into the security system, rather tha n 
attempting t o impose the security system ov er an existing 
Jata access sys tem. 

32 Claims, 5 Drawing Sheets 
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Figure 2B 
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NETWORK VAULTS nty sj'stems in the art rely upon the ability to determine risks 

and vulnerabilities, and to account for every such risk and 

FIELD AND BACKGROUND OF THE vulnerability, thereby resulting in complicated security sys- 

INVENTION terns. 

The present invention relates to a system and method for ^ Certainly, such complicated security systems are difficult, 

providing secure storage and transaction facilities for clcc- if not impossible, for the average user to understand and to 

Ironically stored data in a computer networking maintain. Such users must trust the system administrator to 

environment, and in particular, to such a system and method competently and expertly manage the security system, 

in which access to the facility is controlled by the owner of thereby relinquishing control to the system administrator, 

the information. However, a security system which could be simply and 

The security of information is extremely important for ^^i^V maintained by the average user, such that the average 

modern society, particularly since the advent of the Internet. ^^^^^ ^ave control over his or her own infonmaUon, 

Unauthorized exposure of such information, and/or unin- ^^^^ ^^^^^^ individual control to each user. In addiUon, 

tended or unauthorized use of information may significanUy ^ security system would also preferably be more robust 

damage organizations and individuals. Damage may also be ^^^^ ^^^^"^6 ^^^^^y solutions. Unfortunately, 

caused by lost, corrupted or misused information. Thus, ^^^^ * security system is not currenUy available in the art. 

appropriate security measures are required in order to pro- There is thus a need for, and it would be useful to have, 

lect information from such damaging actions, while still a system and a method for secure storage and transfer of 

maintaining the availability of such information to autho- electronically stored information, which provides a compre- 

rized individuals and/or organizations. ^ hensivc and reliable security solution to the problem of 

The mode of storage for information significantly alters information security for all types of information, regardless 

the security measures required to protect the infonnation. °^ lonn^i or type of information, which is simple to 

For example, information which is written on paper can be operate and maintain even for the average user such that 

physically protected through storage in a physical safe. Such 35 i^^i^i^^^ control over data is possible, and which still 

a physical safe is a device which contains the paper, thereby Permits flexible authorized access to the infonnation as 

preventing unauthorized access to the information, and needed. 

hence preventing unauthorized or unintended exposure or «^ « ^ 

use of flie information. B^I^F DESCRIPTION OF THE DRAWINGS 

Physical safes have the advantage of ease of implemen- 30 The foregoing and other objects, aspects and advantages 

tation and use, but have the drawback of being restricted to will be better understood from the following detailed 

one physical location, such that the user must be physically description of a preferred embodiment of the invention with 

present in the same location as the safe in order to access the reference to the drawings, wherein: 

information. Currently, flexibility and ease of access to piQ 1 ^ schematic block diagram of an illustrative 

information are highly valued, particularly through the Inter- 35 network vault system according to the present invention; 

net and organizational intranets, which provide connections rrwr^ ia- u .-uiij* e . 1 1. 

, , * . L \_ 1 A • • r FIG. 2A IS a schematic block diagram of a network vault 

between computers through a network. Accessmg informa- ^ct^ ^ u • 1 .* u-f r-r^ -it> - u . 

L ^ 1 t , * u ■ 11 . ofBG.l, showing lis isolation, while FIG. 2B IS a flowchart 

tion through a network enables users at physically separate ^ , .u j r • / .• . 1. 

, r , . c i_ . 1 • • of an exemplary method for interacting with a network vault 

locations to share mronnation, but also increases the possi- j- * *i. * • 

■ J • . J 1 ..I f accordme to the present invention; 
bility or unautnonzed or unintended access to the inrorma- 40 

tion. Various attempts to provide a solution to the problem ^^^^ ^ ^ ^ schematic block diagram of an illustrative 

of security for electronically stored information are known ^^^^^ system of FIG. 1; and 

in the art, but all of these attempted solutions have various FIG. 4 is a schematic block diagram of an illustrative 

drawbacks. For example, each solution is only able to client for interacting with the server of FIG. 3. 
provide a portion of the required security, thereby increasing 45 

the complexity of any security system for electronically SUMMARY OF THE INVENTION 

stored information, which must be assembled from a number The present invention is nf a^^uni^and a msthod^for 

of different technologies. Even with such complicated, secure data storage , e xchange'^an^Sr sharing^rougb a 

advanced security systems, unauthorized intmders such as p mtected central storage facility to which access Js c on- 

"hackers" can still penetrate these security systems and 50 t roUed through a single data access channel.J b c storage 

access the electronicaUy stored information. Thus, currently faciUtju s optionally im plemented a s a computer se rv er with 

available security systems are both complicated to construct attacEeScle cironic stor a ge hardware , t hrough wliich a Tleast 

and maintain, and are not able to provide a comprehensive. dne soti^are -based 'Ne twork vmlt" is operated. The ne t- 

rcliable solution to the problem of information security. yv^ drtTi^ault enables daTa to beltored with"b^ "controlle d 

In addition, security systems which are known in the art 55 access b^ authorized user(|s) permitted, similar to a physic al 

are designed to protect data by screening each interface, or ^ re. Ho wever, the network vault can be accessed through a 

"channer, to the data, thereby requiring many different network from a remote location, such that the user does not 

systems to be assembled in order to provide full security. necessarily nee d to be in the same physical location jsjhe 

Furthermore, by attempting to screen multiple channels to central storage t'acuity m order to Dlac e_tia la IntOj_ and 
data, the probability of overlooking one or more such 60 a£td£3^e ^au trom. me ne twork vault. I n this sense, the 

diaimels increases significantly, such that the data then network vault is simUar to a physical safe,* in that substan* 

becomes vulnerable to access through such channels. tially any type of information can be stored in the network 

Therefore, the success of the security system depends upon vault, regaiiJless of the format or type of information, and in 

the abihty of the system adminisu-ator to determine aU that the user need only place the information inside the 

necessary rules for fiUcring communication or access. Any 65 network vault for the information to be secured. Thus, the 

risk which is overlooked can therefore result in a potential s ystem and method of the' present inventjon combine the 

vulnerability of the system. Thus, currently available secu- flexibility of data storage and retrieval through a network^ 
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with the security of controlled access for data storage and Various additional preferred features of the present inven- 

rclricval at a fixed physical location. tion also increase the security provided. For example. 

The method and system of the present invention have the optionally and preferably manual confinnation of access to 

following advantages over other currently available security the data stored in the network vault by one or more owners 

sohitions in the art. First, the present invention provides $ of the network vault may be required before such access is 

much higher security than existing products, yet is useful for granted, thereby providing additional control over access to 

any type of information in any type of format and is operable the data. Also, preferably the network vault stores the history 

by the average computer user, such that each individual user of activities within the safe, including the history of different 

is able to control access to his or her own data. Such control versions of each file stored in the safe, such that the owner 

by the individual user can be described as "distributed of the network vault can see the full history of each file, 

security" in the sense that a centralized system administrator More preferably, files, including the history of the safe and 

for controlling data security is not required. Furthermore, the individual files, cannot be deleted without at least the 

present invention provides both physical and logical expiration of a period of time for waiting. Such a waiting 

security, unlike other security solutions known in the art. period decreases the ability of an unauthorized user to both 

The high degree of security and simplicity of operation by gain access to the network vault and to mask such unautho- 

the user is provided through a number of features, including rizcd access to the owner of the network vault. In addition, 

the single data access channel to the data. This feature is not preferably a visual indication of access to a network vault is 

available among security systems known in the art, which provided to the owner of that safe, as well as indication of 

generally attempt to impose a security solution on a com- access to a particular file within that safe. Thus, these 

putcr system which was designed for open and transparent preferred features increase control of the information by the 

operation so any program and any system service may be owner of the network vault, .as well as safeguarding against 

used as an interface to the data. Thus, security must rely unauthorized attempts to access the data, 

upon a filtering mechanism. According to the present invention, there is provided 

Such imposed security systems must therefore operate system fnr cnntrnlling access to data bv a user, the systei 

according to a multiplicity of filtering declarations, such that 25 c omprising: (a) a c entral storage facility for storing the dat a, 

the provided security is only as complete and robiist as these the central storage taaiity comprismg: (i) a hardware stor- 

declarations. By contrast, the restriction of data access age device for physically storing the data; (ii) a network 

through a single data access chaimel greatly" simpUfies the vault for providing controlled access to the data stored on the 

task of protecting access to the data, since only this single hardware storage device, such that the access is provided to 

channel must be monitored for unauthorized access, rather 39 the user only if the user is permitted the access to the 

than monitoring many such channels (or interfaces) as is network vault and such that access to the data is permitted 

currently known in the art. Also, the present invention only through the network vault, the network vault determin- 

enables data to be exchanged between two users and/or ing if the access is pennitted according to an identifier of the 

networks which do not trust each other, again by only user and according to an authorization list, such thai if the 

permitting access to the stored data through the single data 35 identifier of the user corresponds to an entry on the autho- 

access channel, rather than by attempting to filter commu- rization list, the user is permitted the access to the data of the 

nication between the two parties. Thus, the present invention network vault; and (iii) a single data access charmel_fo r 

is able to provide security without declarations, since the c onnecting to the network vault and for enabling comm u - 

data is moved into the security system, rather than attempt- ni cation with the network vault; (b^ a network tor conne ct- 

ing to impose the security system over an existing data 40 in ^' to the central storage facility; and (c) at least one u ser 

access system. c omputer for bemg operated b y ps^r tor heinp 

In order to preserve the integrity of the single data access connected to the network, the at least one user computer 

channel, a number of other features of the present invention featuring a client software for interacting with the user, such 

prevent unauthorized access through any other possible type that the client software accesses the data in the network vault 

of interface. For example, as noted previously, the central 45 through the sin^e dat a access c hannel. 

storage facility is optionally implemented as a computer According to stilly another embodiment of the presen t 

server with attached electronic storage hardware. Preferably, Invention, there is provided a method for controlling acc ess 

only software programs implemented according to the to data stored in a network vault, the network vault featurin g 

present invention are allowed to run on this computer server, a hardware storage device and a software server for con * 

thereby preventing unauthorized users from installing 50 trolling the access to the hardware storage device^ the step s 

"rogue" software programs on the computer server in an of the method bcin^ operate d bv a dgt^ jppc e s sor. the 

attempt to gain access to the data. met hod comprising tiie steps ot : (a) providing a* clien t 

Also , pre ferably the stored d ata is organized a s a collec- sottware o n a local computer for the user; (b) logging on to 

tion ot tfles, w faic tf/are 'onlT^ccessible through a uni que t he networic vault by the user through the chent sottware^ y 

fihng system. T his ^ling system is preferably not "on ly 55 pro yidingan^dentifie^ ^ t he network vault; (c) determining 

unique to ttie present invention, but is also umque to r eac h "il c['Cvts^"g"pcnnitted to the network vault by th e iiscr 

c entral storage facility, such that obtaining one sudTcent ral accordiiig to the idcntincr an d an authorization list, su ctrifaat 

sto rage facility would not'epahle an 11 n authorized aser t o i fttie laeniifaer corresponds' to an e ntry on the authorization 

If am how circumvent the security system fnr other suc h l ist, the access is permitted; and (d) if the access is permitted , 

c entral storage facilities. Furthermore, no standard softwar e 60 d isplaying a status ot the network vault to the user. ^ 

pr ogram is able to read the nies ot the unique filing system, According to yet another embodiment of the present 

s ince the unique filing system doeS rifll t^ t^fl"!' ^nf'tT-Tgr^c<: invention, there is provided a method for securely storing at 

without special knowledge which is different for each cen- least one file on a physical storage device, the steps of the 

tral storage facili ty. Thus, software programs for accessing method being performed by a data processor, the method 

files must be individually constructed for each unique filing 65 comprising the step of: organizing the at least one file on the 

system according to the special knowledge required to physical storage device according to a unique organization, 

access that individual filing system. such that the at least one file is accessible only according to 



1^^ 
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the unique organization, and such that alternatively the at 
least one file is inaccessible, such that the at least one file is 
securely stored. 

According to still another embodiment of the present 
invention, there is provided a method for sharing informa- 5 
tion between a first party and a second party, the first party 
not being connected to the second party, the method com- 
prising the steps of: (a) providing a trusted party for being 
connected to the first party and to the second party; (b) 
receiving the information from the first parly by the trusted jo 
party; (c) immediately notifying the second parly about the 
received information by the trusted party; and (d) retrieving 
the information from the trusted party by the second party, 
such that the information is continuously shared between the 
first parly and the second parly. 15 

H erein after, the ter m "network" refers to a connection 
hptwftftn fl"y *wn rfimput^TS-whicr h Dcrmits the transmissio n 
fif data. H ereinafter, the term "computer" includes, but is not 
limited lo, personal computers (PC) having an operating 
system such as DOS, Windows'"^**, OS/2™ or Linux; Macin- 20 
tosh™ computers; computers having JAVA''" -OS as the 
operating system; and graphical workstations such as the 
computers of Sun Microsystems'™ and Silicon Graphics'^**, 
and other computers having some version of the UNIX ■ 
operating system such as AIX'^** or SOLARIS™ of Sun 25 
Microsystems'™; or any other known and available operat- 
ing system. Hereinafter, the term "Windows'™" includes but 
is not limited to Windows95'™, Windows 3.x™ in which "x" 
is an integer such as "1", Windows HV^, Windows98™, 
Windows CE'^" and any upgraded versions of these oper- 30 
ating systems by Microsoft Inc, (Seattle, Wash., USA). 

Hereinafter, the term "user** is the person who operates the 
GUI interface and interacts with software implemented 
according to the present invention. 

Hereinafter, the term "exchange" also includes the term 35 
"share". 

DETAILED DESCRIPTION OF THE 
INVENTION 



The high degree of security and simplicity of operation by 
the user is provided through a number of features, including 
the single data access channel to the data. This feature is not 
available among security systems known in the art, which 
generally attempt to impose a security solution on a com- 
puter system which was designed for open and transparent 
operation so any program and any system service may be 
used as an interface to the data. Thus, security must rely 
upon a filtering mechanism. Such imposed security systems 
must therefore operate according to a multiplicity of filtering 
declarations, such that the provided security is only as 
complete and robust as these declarations. By contrast, the 
restriction of data access through a single data access 
channel greatly simplifies the task of protecting access to the 
data, since only this single channel must be monitored for 
tmauthorized access, rather than monitoring many such 
channels (or interfaces) as is currently known in the art. 
Also, the present invention enables data to be exchanged 
between two users and/or networks which do not trust each 
other, again by only permitting access to the stored data 
through the single data access channel, rather than by 
attempting to filter communication between the two parties. 
Thus, the present invention is able to provide security 
without declarations, since the data is moved into the 
security system, rather than attempting to impose the secu- 
rity system over an existing data access system. 

The principles and operation of a method and system for 
secure data storage and exchange according to the present 
invention may be better understood with reference to the 
drawings and the accompanying description, it being under- 
stood that these drawings are given for illustrative purposes 
only and are not meant to be limiting. 

Referring now to the drawings, FIG. 1 is a schematic 
block diagram of an illustrative network vault system 10 
according to the present invention. As shown, network vault 
system 10 features a central storage facility 12. Central 
storage facility 12 is an electronic storage facility for storage 
of information. Central storage facility 12 is optionally a 
"virtual storage facility", in the sense that central storage 



facility 12 is not necessarily a single hardware device, nor is 
The present invention is of a system and a method for 40 a hardware device necessarily dedicated to central storage 



exchange and/or sharing through a 
protected central storage facility, containing at least one 
"network vault" to whic h access is cpntrolled through a 
single data access channel, tor example through a network 
from a remote location, such that the user does not neccs- 45 
sarily need to be in the same physical location as the central 
storage facility in order to place data into, and retrieve data 
from, the network vault. I n this sense, the network vault j s 
similar to ^ T^hVfiir^^ that substantially any type o f 

I'nfnrrnati nn c^^ T} \}ei stofcd ID thc nctwofk vault- r eg ardless of 50 drive; and substantially any other type of writable electronic 



facility 12. Rather, central storage facility 12 is a combina- 
tion of electronic storage medium hardware, any hardware 
components required to access such an electronic storage 
medium, and software for oontrolUng access to the infor- 
mation stored on the electronic storage medium. Examples 
of such electronic storage medium hardware include but are 
not limited to a magnetic storage medium such as a hard disk 
or a floppy disk drive with floppy disk; flash memory; 
wriUble CD-ROM disks with the appropriate CD-ROM 



tl^e format of type of information, and in that the user nee d 
^nly place the information inside the network vault for the 
information to be secured, llius, the system and method of 
ffie present invention combine thc flexibility of d ata storag e 
a nd retrieval through a network, with the sccurit£jj£^n- 
troiic nyaceess tor data storage and retrieval at a fixed 

physical location. 

The method and system of the present invention have the 
following advantages over other currently avaDable security 
solutions in the art. First, the present invention provides 60 
much higher security than existing products, yet is useful for 
any type of information in any type of formal and is operable 
by the average computer user, such that each individual user 
is able to control access to his or her own data. Such control 
by the individual user can be described as "distributed 65 
security" in the sense that a centralized system administrator 
for controlling data security is not required. 



storage medium for storing information. As such electronic 
storage medium hardware is well known in the art, the 
selection and implementation of a particular type of hard- 
ware could easily be made by one of ordinary skill in the art . 
55 Thus, the ensuing description focuses upon central storage 
facility 12 as implemented in software, it being understood 
that substantially any suitable hardware could be used in 
conjunction with central storage facility 12 for the system of 
thc present invention. 

One example of a suitable implementation for central 
storage facility 12 is a computer fiinctioning as a server 
computer (also referred to herein as a "server"), to which the 
electronic storage medium hardware would be connected, 
and thmugh which this storage hardware would be con- 
trolled. For this implementation, the server computer and 
associated hardware could optionally be placed into a physi- 
cally secure case for added physical security. 
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Cenlrai storage fadlity 12 stores infonnation, both pro- limited access network 18 and user "B" 26 connected to 

viding access to the stored information and controlling such open access network 16 can both access network vault 28 

access. Optionally, central storage facility 12 could be through their respective networks. 

connected to addiUonal electronic devices for accessing Network vault 28 provides security through isolation of 

information such as computers, through a network 14. As s sensitive data. For example, rather than focusing on the 

shown, nHG. 1, network 14 feamres three different types of ^ ^ ^ c«miected to a 

networks: an open access network 16, a limited access ^ i ^- ». - ^ r 

1 ID J L f . . -tn ^ 1 • * J J network, which is a complex problem, secunty for sensitive 

network IS and the Internet 20. These are only mtcnded as , ^ . j i ^^ i.- l - 

r . r ^ 1 I-' L -J data can be provided through network vault 28, which is an 

examples of the types of networks which may provide a • , . , • i . i l -i. i r 

^ . / 1 . r -I-. 1-1 . isolated, special purpose software tool built only for secur- 

connecUon to central storage facility 12. Open access net- • j iT • •** - c n » 

, Lu-r mg and sharing sensitive information. However, two users 

work 16 IS an example 01 a network m which iniormation IS ., j ^ i. - c i 

, , .n , , *^ , J « , 1- J can Still easily and securely share information. For example, 

not classined and protected. By contrast, limited access u u • c *• («ti»» i*: 

..5 . . r tiser A 22 could share information with user B 26 

network la, which could be a corporate mtranet tor . 1 1* . i_- i_ 

, . J. 1.1. .-r through network vault 28, to which both users have access, 

example, is acsigncd to completely protect iniormation, . 1 ■ 1. • c J ■ ^1 1^ -»o tt «ti« 

L . 1- J ^110 * L Li * by placing such mformation m network vault 28. User B 

such that limited access network 18 may not be able io ^i^ . . . . ^ . . 

^ . T . . -»« ' f ^5 26 could then commtmicate with network vault 28 to access 

connect to other networks. Internet 20 is of course com- * r »• n j r ui » 1 ^.^o 

. . . • . t XT L i_ r . the mformation. Optionally and preferably, network vault 28 

pletely unrestricted. However, although each of these types u • 1 j * c u • r .-i^ • 

^- ; , , j-a, , ' ^. , J -^^^ could mclude a notification mechanism for notifymg user 

of networks has different access requirements and security „„„ -iz- .u . *u ■ <• * j • 1 1. u 

J , , - , , .„ B 26 that the mformation stored m network vault 28 has 

measures, users connected to each type or network can still . . jm. »i 1. 10 •* 

L . 1 . r 11 been changed. Thus, network vault 28 permits secure mfor- 

access information through central storage facility 12. . \ ^1 

,7T„ , . . ^ mauon exchange, even across non-secure network connec- 

For example, a user "A 22 connected to hmited access ^^^^ 

network 18 is able to connect to central storage facility 12, ^,1 . . . . . i . 

as is a user "B" 26 connected to open access network 16 or " schematic block diagram of network 

a user "C" 24 comiected to Internet 20. According to the ^^^^^ ^8 being operated by a server computer 13 for centra^ 

present invention, user «A" 22 is able to safely and securely ^ ^^^^^Sf f^^^^^^ ^2, lUustratmg the isolation of the stored 

exchange information with user «B" 26 and/or user "C 24, Sciver computer 13 is preferably only able to operate 

without compromising the security of the information and ^^"ty ^^^^^^^ according to the present invenUon, 

without providing direct access to limited access network "^^^^ ^ ^ gateway to network vault 28 such that only 

18, such that packets do not travel between Internet 20 or tl"^^^ data access channel to network vault 28 is permitted, 

open access network 16 and limited access network 18. This 30 , ^authorized users are prevented from installing 

latter feature is important for information exchange between ^^^^ ^^^^^^ P^°g^^ °f ^^^"^ ^°"»P"^^^ ^ 

users which do not necessarily trust each other, such as a ^"^°^P^ ^« ^« 

commercial organization and its customers, or between Furthermore, the single data access channel simplifies the 

networks which should not be connected directly for secu- operational task of security software 19, since only a single 

rity reasons, such as hmited access network 18 and open 35 interface to the data stored in network vault 28 must be 

access network 16. Thus, the present invention does not monitored and controlled. Such a communication diannel 

require users and/or networks to trust each other in order for can in turn be connected to a network 21 which is then 

secure information exchange to occur. connected to a chent computer 23. CUent computer 23 

By contrast, security systems which are known in the art, preferably at least operates a client software 25 according to 

such as firewalls and proxy servers, can only provide filter- 40 P''^^^^ invention for accessing network vault 28 through 

ing of communication and therefore ire not sufficiently single data access channel. Qient computer 23 may 

robust and secure to permit a direct connection to, and optionally operate other software programs 27, for example 

packet exchange with, hmited access network 18. Therefore, ^ an adjunct to client software 25 for reading, writing or 

if a risk is overlooked, the filter will fail Also, the security otherwise manipulating the data stored in network vault 28, 

of the firewall and/or proxy server itseff can be breached, 45 °' purposes unrelated to network vault 28. Thus, 

enabhng the intruder to change the declarations for filtering substantially no restrictions on the operation of client com- 

in order to permit unauthorized access through the firewall P^^^r 23 for security purposes are required, since aU such 

and/or proxy server. However, the present invention does not restrictions are provided through server computer 13. Tliis 

require such packet exchange across networks, so no such feature also simplifies operation of the present mvenUon for 

declarations are needed. 50 ^sct. 

Rather, central storage faciUly 12 features at least one, and As noted previously, the feature of a single data access 

most preferably a plurality of, network vaults 28. Each channel is not available among security systems known in 

network vault 28 is an isolated storage component for the art, which generally attempt to impose a security solution 

storing infonnation, isolated since each network vault 28 has on a computer system according to a multiplicity of filtering 

its own security system, with its own security daubase and 55 declarations, such that the provided security is only as 

hierarchy. Furthermore, the information related to security complete and robust as these declarations. By contrast, the 

logs and authorizations is stored in a separate, isolated restriction of data access through a single data access 

location, inaccessible except through the mechanisms pro- channel greaUy simplifies the task of protecting access to the 

vided by the present invention for interacting with network data, since only this single channel must be monitored for 

vault 28. Also, network vault 28 has distributed security, in 60 unauthorized access, rather than monitoring many such 

that the owner(s) of eadi network vault 28 have control over channels (or interfaces) as is cunrently known in the art. 

access to network vault 28, unlike other systems known in Thus, system 10 of the present invention is both robust and 

the art in which control is ceded to a central system easy to operate by moving the data into network vauh 28, to 

adminisurator who controls data access for a plurality of which access is only provided through the single data access 

users. Thus, network vault 28 is "virtual" in the sense that 65 channel which is protected by security software 19. 

physical separation and physical access control is not FIG. 2B is a flowchart of an exemplary method for 

required, such that potentially user "A" 22 connected to connecting to, and communicating with, network vault 28. 
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I d step 1, thf. \i^T } ^ provi4fici with ^ Hent software on a loca l va ult 28 to which access was granted, s inc e the uscr^ ay 

rmTTjmtrr Thifi dirnt snfrvvni T provides a GUI (graphica l o p'tioaallv have access to a plurality ot nctworic vaults 2 8. 

uarx interface) for unr-^ntcrf tctioDS. such that the user ca n The identity and status of each network vault 28 is indicate d 

e nter commands tn network vault 28 and can receive da ta t hrough the GUI. T he term "status" optionally and pref er- 

fmm net work yfl u U 2^ J" ^t^p ^^ optionally the uj;er logs 5 abl y includes the identity or identities ot' any other use r(s) 

onto central storage facility 12, through which access is who nrn ronnrnrri to netwo^K vault 2g ~ir_anv.J n aaonion, 

provided to one or more network vaults 28. T he term "logs th p .. status .o p ti onall y a n d-pcefc rably includes the history of 

o nto" may optionally include entering some type of a ccesses to network vault 28, and more preferably also 

i dentifie r, i ncluding but n ot limited to a user name, a in cludes the history of accesses to each lilc w ithia network 

password, a key diskette and a smart card, ()t SOUie corabi- v ault 28. E ac h history optionally and prcterablymcludes but 

nat ion tftereOfr^Fhe tetiii "key dfekettc" reters to a flo ppy is not limited to the identity of the user who connected t o 

di sk which must be inserted into the floppy drive oT the nc^vork vault 28: the det ails of such a connection, iachidi ng 

c omputer which is operating the client software in ord er to t he date and time of access, the physical c omputer locaUon 

pgyj yt de a physical '^ey" fui a cu^iug temrgt-SUJragrfag ^ from which access was made, and so tortH; changes'made to 

ity ii. i hc smart card, readable ihrougb a smart card reader ni^fwnrk vault 2H snH/nr fhft file vy^tjii p net work vault 28 , 

-wbicMs also locaUy connected to the computer which is 15 alteratio^ns anrdeletions : and details of anv 

operating the client software, provides another type of aHrSHT^bich were denied by network vault 28, for example 

physical ke/ for idenufymg the user.^MfiUps^of ^^^^^ ^^^^ ^^^.^^ permission to 

i dentifiers mclude, but are not hmited to, vanous types o f erform the action 

biometric i dentifica tion such as fingerprints a nd retinal „ r — — — - — \ -r" , , . . . 

prints. The identifier is then compa red to a Ust auth^nled 20 Maintaimng s uch a file and network vault 28 history is ^ 

u sers, to ' detemime i l the user " should B T grantcd access To importaijt to cqdUqI access to a file and to network vault 28, J 

network vault 2^" toTSow what actions were taken in relation to the file and O ' ^ 

>-jg- Step 3, the Utfe r logs onto each network vault 28 to to network vault 28, to prevent unauthorized use of the file ^ 

which access is desired and permitted, preferably separately. and/or of network vault 28, and to track such access if the 

A similar process for logging on as described in step 2 is 25 need arise s at a later date. 

preferably implemented to logging onto each network vauU More preferably, this history cannot be altered or deleted 

28. The process of step 2 is described as optional when for a specified period of time, such as a period of n days (□ 

access to central storage facility 12 does not guarantee being an mteger) after an entry was made in the history. Such 

access to any network vault 28 lJowPve4ythc - prococ c of -user a feature prevents intruders from attempting to conceal 

i dentification and authentication must at least be performe d evidence of unauthorized accesses by deleting the history of 

before access is granted to any network vault 28. such accesses. In addition, preferably files within network 

Optiona lly and prefer ably, a period of delav~mav b e vault 28 cannot be deleted before a specified period of time 

required before access is granted t o network vault 28. Such has elapsed. Rather, each file is marked as "deleted" after a 

a~delay is preferably implemented whena_pliii:ality-ef-users delete action has been performed, but the file is not actually 

bave> access to a particidar network vault 28, the reby 35 removed from network vault 28 until the specified period of 

e nabling one or more other use rs to be warne d whena us er time has elapsed. This feature also provides additional 

is attemptmg to acc ess networK vault tor example, a security for the information stored in network vault 28 . Also, 

supervisor may share network vault 2H with one or more this feature is analogous to showing a (physically) broken 

subordinates, and hence may wish to de termine if a su bor- safe when such a physical safe is opened by an unauthorized 

dinate mav access network vault 28. In add ition, such a ^ user. Previously, unauthorized accesses to electronically 

delay could optionally and preferably permit a require d stored information could be masked, for example by delet- 

TOnfirmatio n by another user before access i s granted jo mg the history of such accesses. According to this preferred 

network vault 28. Similar to the previous example, the active feature of the present invention, such unauthorized accesses 

acquiescence of the supervisor, through a confirmatory cannot be masked since the history preferably cannot be 

message for example, could be required before the subor- 45 immediately deleted. ^ 

dinate could access network vault 28. jn step 5, the user adds a file to network vauU 28.\.^^]rr-j a ) 

Also optionally and picfCi^Uly, fui oVen greater access Optionally and preferably, man ual confirmation is required y^^^ 

control, a plurality of users could be collectively required to for each specific action, such as adding a file, and not just to 

log onto network vault 28 at one time. Such an option coidd lo ^ into network vault 28 . Optionally^ this action is pcr - 

be required when the plurality of users all need to be in 50 form_ed by Vd ff*p^ptin^ aj id dro pping " an icon representin g the 

communication with network vault 28 before any access is fileinto a folder representmg network vault 28^n the GUI 



granted to network vault 28, thereby enabling the plurality fe'ing d ispl aced to the user by the client software | Qtbei^ 



^■C"^ of users to actively monitor such access. ^ifnple aPovfen^uDclerstood techniques may be used tb mov e 

^2^a ) Optionally, if a plurality of attempts to gain access to t he file into network vault 28, stich as invoking the fil e 
i^^y network vault 28 tavc failed, the physical computer location 55 "copy^lxomrnand (or its equivalent) available through tHc 



Q 



network vault 28 have failed, the physical computer locatio n 55 "co py" command for its equivalent) available through tH c 

from which the user is attempting to gain access is sus - c omputer operating system according to which the compute r 

pended from further access attempts, until authorization is o Fthe user is being operated, since network vault 28 is 

granted again by another user or some other reauthorization preferably represented to the user as a folder or di rectory for 

process has been performed. By only preventing further s toring files. 

access attempts from that physical computer location, a user 60 In step 6, the user reads a file within network vault 28. 

cannot be intentionally completely blocked from gaining Hereinafter, the term "file" refers to any unit of data within 

access to network vault 28 by another individual, yet sccu- network vault 28, which may include for example a mes* 

rity can still be maintained. Also optionally, each network sage. Preferably, the file is only stored in the RAM (random 

vault 28 may have a fist of physical computer locations from access memory) of the computer of the user, thereby avoid- 

which access to network vault 28 is permitted. es ing even temporary storage of the file on the hard disk or 

In step 4. once access has been granted to network_y ault other permanent storage media of the computer of the user, 

2 8. the GUI dispbys t o the user th e status of each-4iGtoork as described in greater detail below. Storage of the file in 
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RAM greatly increases the difficulty of unauthorized access than the software modules of the security system of the 

through the computer of the user. As described in greater present inventioa. Such filtering prevents the installation of 

detail with regard to FIG. 4 below, manipulation of the file a Trojan horse or other unauthorized program for attempting 

within network vault 28 can be performed with either a to exchange packets outside the mechanism provided by the 

specially designed program for interacting with the software 5 security system. In addition, filtering of the single data 

modules of central storage facQity 12, or alternatively can be ^^^ess channel protects the stored data torn Trojan horses, 

performed with standard software which accesses the file backdoois, software bugs or other software vulnerabilities, 

through the client software described in greater detail below. reducing the complexity of the task for the security 

In step 7, optionally a second user also accesses network ^y^^^^ ^ regulation of access through the single data 

vault 28. Preferably, in step 8, the first user is notified of the jq access channel 

access by the second user, for example through a 'Vatch- ^ ' ^ , -o • ■ . r 

dog" icon which is displayed through the GUI of the first ^ Transaction gateway software module 38 is an interface 

user. Assuming that the access of the second user is for the remammg software components of server 30. Trans- 

successhil, in step 9 the second user is able to read a file action gateway software module 38 performs a number of 

within network vault 28. Thus, the first-user and the second functions, including authentication of users through any type 

user can share information without exchange of messages, ^^y exchange protocol including, but not hmited to, SSL 

such that these users do not need to be in direct contact (^^^ure socket layer). At the time of logging on to networic 

except through network vault 28. ^^^^^ ^ ^ two-way authentication (hand-shake) 

. Although the previous discussion concerned the abihty to P^^^ is performed, based npon a password and opUonally 

share andexchange information between different users, it is ^JP^^ °' i^"' . 

understood that such sharing and exchanging of information ^'^^"^^^^^ identification such as fingerprints and retinal 

could also occur between two software programs, for P"°^' f^^"^^^ J^^' 2B previously. A one-time 

example, and not just between two users. encryption key is selected and exchanged benveen the chent 

^, - .. . , v».L£. I ^ and transaaion gateway software module 38. 

AJsn pr^F^rahiy^ m step 9, the first user optional perfo rms ^ ' 

som6_tj^_e of adiiiini itrative action, such a s ^S5;ngIE'ge ss ^ Anoiher function of transaction gateway software module 

to network v^t 2^ to aaQlhcr_v&cn_f or exam ple^^tl^t 3 8 is handhng commum> :^tinn .rt.v.t,P<: y^th th^. nJi^nt 

user is an owner of network vau¥28r^Sd^rSSdr5iay itfcluoing exchangmg^m c^agcs_or "transacUons" between 

change, add or remove user permissions and otherwise me client and server 30 . These communicationj ctivities,^^ 

administer network vault 28. Thus, no external system based upon a session orientca ciieni/scryET model for 

administrator is required to administer network vault 28. 30 c ommunication , and allow multiple clients to be supported, 

since each owner of network vault 28 is able to perform \ yhen a user logs onto a network vault 28, a session, is 

these functions created after tne identity of the user has b ee n aut hentica ted^ 

-n^n: 3 shows a schematic block diagram of an exemplary aFpreviousty aescriDea 1 ne ^g^^^^Q" 

server according to the present invention, represented as a u sed to encrypt any runncrx om^^^^bctwccn^c 

plurality of software modules. It should be noted that these 35 client ana transacupn^g^j^s^^^^^^ 

software modules would be included within central storage transacUon gateway software module 38 en^ypts alf mes- 

facility 12, as previously described for FIG. 1, and enable f^""^ i>efore sendmg the$e mi^sages~te-4ke^to^^ and 

communication between central storage facility 12 and a d eciypts received messages from the ch^n T^ 

client which is operated by the user (see HG. 4 for a more ine encLVPtion and aecr vpiion proce^ are performed 

detailed description of the client). A server 30 features at 40 by a standard symmetric en cryption softwa re module 40, 

least one, and preferably a pluraUty of, network interfaces which could employ sufas tanOaily any suitable encr yption 

32. Each network interface 32 permits a separate connection algorithm. Examples of suitatnejnc^iti^^ 

of central storage facility 12 to a network, as well as include but are not limited to"Dfc5 andTdga^ 

enabling separate communication of the network with the Once a received message from the client has been 

software modules of server 30. 45 decrypted, the decrypted message is passed to a transaction 

As packets are received through network interface 32. manager software module 42. Transaction manager software 

tt^ ese packets are passed through a packet filter 3"Vwhic h module 42 maintains a transactions queue. Each new trans- 

effectively acts as the g atekeeper for the smg le data access action is added to this queue, and waits to be selected for 

' channel lo t he stored data to which reterence was previou sly execution. A transaction is selected for execution according 

"m ade. Hadcet falter 34 is built as a device driver which si ts 50 priority after the necessary resources become available. 

between the MAC drivers and a netw o rk protocol driver3 6 Any output created by the transaction during execution is 

(see tor example the Microsoft NUIS speciiication). N et- then sent lo the cUent. ^ 

"work protocol driver 3ti can inlplemti nt any standard ne t- Each transaction contains a list of one or more resourcc sl 

w ork protocol sucH as icr/if tor example. I^acket filter 3 4 which the transaction needs to "lock" for execution. Thes e ^ 

acg^an internal^ dedicatstLfirewall fojjexamitfnDi^caca ss icsources may be locked in shar e naode (the reby enabhn g 

liaAket (o ventv tiiai the packetis.targeted o ply to a netwo rk o ther share requests to be executed in parallel) or in ex clu- 

address for ^ cental storage facility ^ 12. which is~thc J P sive mode, suc h that no other requests arc pennitS l for 

address 16Y the jtlpyiP ti&lwork proldc ql. P acket filter 34 , concomitant execution. Resources are locked by a lode 

al^ Vdi^is tbai Ihe paclTdt is largiled ' b the gateway manager 44, which can lock a file, a network vault, a rewr d 

transport address for central storage facility l2, which is the eo in a table, a use r identity for a session and a database, i n 

port number for the TCP/IP network protocol. Any packet order to prevent parallel use or u pdating of th ese resources 

which does not conform to these rules is immediately when necessary. L>ock manager 44 permits the transaction to 

dropped. A similar analysis is performed for any outgoing begin execution only when all of the necessary resources for 

packet which is not being sent ftrom a transaction gateway that transaction have been locked. 

software module 38. 65 One particular type of transaction is a resident transaction, 

Filtering prevents any type of packet exchange or other which must wait on the queue until the necessary resources 

data transfer from outside server 30 to any entity inside other ' have been updated by another transaction. After execution, 
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the resident transaction is entered to the queue again rather system is preferably not only unique to the present 

than being purged. The resident transaction is removed firom invention, but is also unique for each central storage facility 

the queue upon receipt of a cancel request from the client. 12. such that obtaining one such central storage facility 12 

This mechanism allows each client to be immediately would not enable an unauthorized user to leam how to 
updated about any update access (exclusive lock) to one or 5 circumvent the security system for other such central storage 

cUent resources, and in particular to a file, safe or user facilities 12. Furthermore, no standard software program is 

identity of the cUent, without requiring periodic poUing of ^^Ic to read the files of the unique filing system, since the 

the system by the client. Thus, the mechanism of resident fihng system does not permit such access without 

transactions significantly decreases the load on the network f""^'^ ^^^^ ^"^^^ '^^"^^ 

J XgT^ ^ racibty 12. Thus, software programs for accessmg files must 

and on server 30. 10 . . i- . , „ . , \ . . 

be individually constructed for each unique fihng system 

All of these features enable the filing system for organiz- according to the special knowledge required to access that 

ing the data according to the present invention to be an individual filing system. 

"acUve" fiUng system. Sucb an active filing system informs This unique file system shares some similarities to known 
the user immediately of any actions which were performed standard file systems such as FAT, HPFS, NTFS and so forth, 
through the filing system, such as accessing a file for 15 However, the unique file system has a number of differences, 
example. This notification is performed without continuous First, the unique file system does not support the standard 
polling of the software components being operated through file access services associated with these standard file sys- 
server 30, since the client software on the computer of the tems such as "open", "read", "write** and "close", thereby 
user is notified through the active filing system components preventing any access to the stored files from a standard 
described previously whenever such access is attempted. In program. Also, the API of the software of the present 
addition, the active filing system is required for two software invention docs not provide any mechanism for storing or 
programs to share or exchange information, in order to running other programs on server 30, but only on client 56, 
notify a software program that such information has been thereby preventing an unauthorized program firom attempt- 
retrieved and is ready for sharing or exchanging with ^° circumvent the unique fihng system, 
another software program. 25 In order for the unique filing system to be unique, as 
1 1 ... , ^- r previously noted particular knowledge of the system is 

When lock manager 44 has approved execution of the ^^^^^^ ^ example of such 

transacuon a transactioD processing seiver (TP server) 46 ^^^^ knowledge is the oiganization of the logical and 

executes the transaction. Preferably, a plurahty of such TP pj^y^i^^ blocks. More preferably the logical order of the 

servers 46 operate concurrently, for example as threads or sysuni blocks, or clusters, is different than the 

processes. Each TP server 46 at least supports the following physical order of these clusters. For example, chister " 1" 

types of transactions: lo gging on and off by th e user through according to the logical order of the file system would 

t he client; creating. updah ngMideleting a network vault or j^ually point to a physical cluster "x" in which "x" is not 

a.user laenuiy; storing, fetching and deleting a file or record; equal to " 1". Preferably the actual mapping of each logical 

listing or deletmg the history of a file or safe; adding, duster to a physical cluster is random and is separately 

updating or removing the identity of the owner of a network grated for the file system of each central storage facility 12. 

^""i': agd Usting the netw ork vault(s) of the requesting user Optionally and most preferably, the mapping is stored on 

and/or ^er^s^ oi a parucuiar neiworkvauit. . Atter the ^ ^ ^^^^^ ^^^^ ^ ^ j 

transacuon has ended, the output is returned to transacUon ^ard drive, and is required at system initialization, 
manager software module 42 and another transaction is ^ n,e system then loads this mapping into memory, at which 

se ecte for execution. extemal storage medium can be optionally removed 

Rach recy^^it by a transaction to access stored informatio n and stored in a secured location. Preferably, the external 

.is passedTBrouRb a secuaiy suuwarPmoauie S e curity storage medium also contains such information as the cluster 

software module 48 examines each sucb request to deter- size, the encryption key (see below for more description) 

mine whether the network vault may be accessed by th'e user and other details of the file system. \ 

through the transaction, including whether the user has A virtual disk driver 52 serves the unique file system and \ 

permission to perform the U-ansaction to the particular constmcted according to the particular characteristics of 

network vault. Since security for each network vault is operating system of the computer of central storage 

provided through a separate secunty environment, each f^^^^y 12 on which virtual disk driver 52 is operated, 

user/owner is able to control access to information without virtual disk driver 52 has several differences from standard 

endangering the infom ation of any ^Uier network vault. drivers. First, as noted previously, the file system format 

Secm-ity software module 48 preferably operates a sepa- is loaded at initialization time from the external media and 

rate associated database 50 for each network vault. is stored in memory. N ext^e ach request to access a file for 

Preferably, database 50 is a relational database. Database 50 a read/write operation cbntains the log ical cluster numb er 
contains such seciuity information as the identity of the 55 a ndlET^yglcal cl tister number tor that ac cess. Ifj hcsc 

owners of the network vault; a list of other users permitted numbers do not match accordirigto the partic ular Hie s"ys tem 

to access the network vault and the associated actions which op erated through virtual disk driver ^2, th en virtual d isk 

they are permitted to perform; a security log of actions taken dri ver 52 rejects the access r^qilfest. in addition, at JhejtLmc 

with regard to the network vault; and details of the operation o f initiaiizalion, th e storage address ot the calling program 
of the network vault. Such administrative information is go is saved. : ^r each req uested access, mc address" of t he 

preferably inaccessible to any program outside the security calling program is co mpared lo the saved calli ng pro^ m 

software of the present invention, since there is no service address. If these two addresses do not match, then the 

available for that type of access. Such access would only Kaucst is rejected. Thus, even a specially const^cted^^p - 

potentially endanger the integrity of the information. gram would not be at)lc to pertorm una uthorized accx^ ^ln 

More preferably, database 50 also stores the information 65 O Kler to obtain mtormauon stored m tae tUes. 

protected by the network vault, in the form of files prefer- Server 30 also preferably features a system hook (not 

ably organized according to a unique file system. This filing shown) for preventing any additional software programs 
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from being operated by central storage facility 12, thereby 
preventing the installation of a rogue software program for 
accessing the stored data. This ensures that only one pro- 
gram can nm over the secured cnvironmcot. 

Server 30 preferably also features a pseudorandom num- ^ 
ber generator 54 for generating pseudorandom numbers as 
part of the process of encryption key generation. 

FIG. 4 shows a schematic block diagram of an illustrative 
implementation of the client for interacting with server 30 of 
FIG. 3 (not shown). As for the server of FIG. 3, a client 56 
features a plurality of software modules which are operated 
by the computer of the user (not shown). Also as for server 
30 of FIG- 3 (not shown), client 56 features network 
interface 32, network protocol driver 36, standard symmetric 
encryption software module 40 and pseudorandom number 
generator 54, performing similar functions for client 56. 

rjip"* S6 fpa tures a client gateway software modi Je 
58^_ which is equivalent but mirrored in function to trans ac- 
t ipngatewfly software mndiil^ 3» ot HU. 3 (not sDdwn ). ^ 
riiVnt gateway fi(>fh yare module 58 receives the output o f 
t ransactions from server 30 (not shown) through netwo rk 
i nterface 32. decrypts this output and passes tne output to a 
<^ta srlitffr/r*Tlir?*^r g^fWar^ mnHnle^Q^ Qj ent gateway 
^ftwarp. pi^dule 5H also receives rec|uesls l o r trapsjctions ^ 
fr om data splitter/rephcator software module 60, encryp ts 
th ^j;e reqiiestj; af^ | ;i sends the rej^est s through network 
in terface 32 to server 30 (not shown). 

Data splitter/replicator software module 60 is an optional 
but preferred feature of cUent 56, which enables a network 3Q 
vault to be located on two servers 30 (not shown) for the 
purposes of data replication or sphtting. For data repUcation, 
each file is stored on both servers 30, for higher availability 
of the data. For data splitting, each file is mathematically 
split into two parts, with each part being stored on one server 35 
30, such that an intruder seeking unauthorized access to the 
file must obtain such access from both servers 30. Obtaining 
only one part of the file would render the data meaningless. 
Thus, both data splitting and data replication provide addi- 
tional file security. 4q 

According to a preferred embodiment of the present 
invention, the data splitting algorithm is performed as fol- 
lows. First, the length of the file to be split is determined in 
bytes, such that the file is n bytes long (n being an integer). 
Client 56 then requests n bytes from a server "A" (not 45 
shown). Server "A" generates these bytes with pseudoran- 
dom number generator 54 and sends these bytes to client 56. 
Server "A" also stores these bytes as a file layer. Client 56 
then performs an "exclusive •or'' with these bytes and the 
bytes of the file. The result of this operation is then stored in 50 
server "B" (not shown). Now there are two file layers, each 
having o bytes, each of which is stored on a different server. 
In order to access the original file, both file layers need to.be 
obtained fi-om the respective servers and combined with the 
"excltisive-or" operation. Of course, this algorithm could be 55 
generalized to more than two servers, such that the file 
would be split into x file layers stored on x servers (x being 
an integer greater than one). Thtis, the mechanism for file 
splitting significantly increases the difScuUy of obtaining 
unauthorized access to a file. 50 

From data splitter/replicator software module 60 (if 
present, and otherwise from client gateway software module 
58), messages are accessed by a user interface 62. User 
interface 62 provides the previously described GUI for the 
user to perform various activities, including but not limited 65 
to, administering network vaults; controlling the activities 
surrounding the network vaults and the files within the 
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network vaults; opening and closing network vaults; storing, 
fetching and deleting files; and other user interactions with 
the s>'stem. 

A high level language application programming interface 
(HLL API) 64 enables any program to interact with client 56 
and hence with server 30 (not shown) for accessing a 
network vault. HLL API 64 includes such services as logon, 
logoff, create network vault, store file and so forth. However, 
HLL API 64 only provides at least one service for accessing 
the data itself, and does not provide any service for access- 
ing a central storage facilities file (containing administrative 
and security information). Two examples of programs which 
interact with client 56 through HLL API 64 include a special 
user program 66 and a standard program 68. 

Special user program 66 is a software program which is 
written specially to operate through client 56 in order to 
store and fetch data to/from server 30 (not shown). Special 
user program 66 could be written for storing database 
records and fields and conmiunicating with another user 
through the network vault, for example. 

Standard program 68 is a software program which was not 
written specially to interact with client 56, such as "off the 
shelf' word processing programs, for example. If standard 
program 68 uses standard file commands such as "open'*, 
"close", "read" and "write", then standard program 68 can 
interact with server 30 for accessing a network vault. Stan- 
dard program 68 interacts with HLL API 64 through an 
installable file system (IFS) interface 70, which permits 
interactions to occur according to a standard file system API 
(application programming interface). 

IFS interface 70 is constructed according to the file 
system interface of the operating system for the computer 
operating client 56. The file system interface is a standard 
feature of many commercially available operating systems, 
such as the "Windows™" operating systems of Microsoft, 
Inc. (Seattle, Wash., USA), and enables any standard pro- 
gram to access a non-standard file system with standard 
services. Thus, IFS interface 70 is able to provide these 
standard file system services. 

When a file stored in a network vatilt is "open", IFS 
interface 70 fetches the file from server 30 (not shown) and 
stores the file in a RAM disk 72. RAM disk 72 then 
temporarily stores the file on the computer which is oper- 
ating client 56. RAM disk 72 creates the file in memory, 
writes blocks of data, reads blocks of data, moves the file 
pointer and deletes the file, thereby supporting the services 
provided by IFS interface 70. By storing the file on RAM 
disk 72, rather than even temporarily storing the file on the 
hard drive of the computer which is operating client 56, the 
file is more protected from unauthorized access through the 
computer operating client 56. 

The preferred security features of the system of the 
present invention enable a number of different implemen- 
tations for the present invention. For example, an ISP 
(Internet service provider), a bank or any independent party 
could provide such network vaults to customers, while still 
permitting the customer to have full control over the infor- 
mation rather than the provider of the network vault ser- 
vices. Thus, the customer would not need to trust the 
provider of the network vault services. 

It will be appreciated that the above descriptions are 
intended only to serve as examples, and that many other 
embodiments arc possible within the spirit and the scope of 
the present invention. 

What is claimed is: 

1. A system for enabling secured data storage and data 
utilization, said system comprising: 
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. a, a dedicated server computer with a sterile environment 
such that the only software code that is executable on 
said dedicated server computer is a network vault 
security software system; 

b. a hardware storage device for storing data, said hard- 5 
i ware storage device is accessible only by said dedicated 
V serv er computer, 

c. said network vault security software system, such that 
said security software system is installed on said dedi- 
cated server computer, for providing secure access to 10 
said data, said security software system includes an 
integrated multi -layers security mechanism for secur- 
ing said data, and a server software mechanism for 
providing a set of services for managing and utilizing 
said data; ^5 

d. a single data access channel within said sterile 
environment, such that said single data access channel 
ensures that only said network vault security software 
system is permitted to be operated by said dedicated 
server computer, and such that communication with ^ 
said dedicated server computer is achievable only 
through said network vault security software system; 

e. a network for connecting at least one user to said 
secured data storage and data utilization system; and 

f. client software for communicating with said network 
vault security software system through said single data 
access channel, said client software operating on at 
least one user computer, said user computer operable to 
connect to said network. 

2. The system of claim 1, wherein said data is isolated 
within said hardware storage device, such that said data is 
accessible only by said network vault security software 
system through said single data access channel. 

3. The system of daim 1, wherein only said network vault 
security software system is permitted to be operated by said 
dedicated server computer, such that any other software 
program is inoperable by said dedicated server computer. 

4. The system of claim 1, wherein said multi-layers 
security mechanism further comprises: ^ 

a. a virtual private network mechanism (VPN) for pro- 
viding a secured communication channel between said 
security software system on said dedicated server com- 
puter and said client software on said user computer, 

b. a packet filter dedicated firewall for preventing any type 45 
of packet exchange with said dedicated server 
computer, other then communication with said security 
software system in said dedicated server computer; 

c. an authentication security layer for providing a two- 
way authentication hand-shake process between said 50 
security software system on said dedicated server com- 
puter and said user using said client software on said 
user computer; 

d. an access control security layer for providing controlled 
access to said data stored on said hardware storage 55 
device, such that said access is provided to said user 
only if said user is authenticated by said authentication 
security layer, and only if said user is permitted said 
access according to an access authorization list, such 
that said access to said data is permitted only through 60 
said single data access charmcl; and 

e ^an encryption layer for encry pting and decryp tinf^ said 

^ Hat ^ in ssiid stnragft devjcE , a nd fgr p-n^rypting pp^ 

decrypting data communicat ed between said dedicaj ed 
server computer and said user computer. 65 

5. The system of claim 4, wherein said authentication 
layer authenticates said user according to a user identifier. 
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said user identifier is selected from a group of identifiers 
consisting of a password, a key diskette, biometric informa- 
tion and a smart card. 

6. The system of claim 4, wherein said access control 
security layer further provides controlled access to said data, 
such that said access to said data is provided to said user only 
after a predefined period of delay, such that a user request to 
access said data is notified to a predefined plurality of users 
before said access to said data is permitted. 

7. The system of claim 4, wherein said access control 
security layer further provides controlled access to said data, 
such that said access to said data is provided to said \iser only 
after an approval of said access by at least one user of 
predefined plurality of tiscrs that must approve said access to 
said data. 

8. The system of claim 4, wherein said access control 
security layer further provides controlled access to said data, 
such that said access to said data is provided to said user only 
if predefined plurality of users are collectively connected to 
said network vault security system, such that said access is 
notified to all said plurality of users. 

9. The system of claim 1, wherein said network vault 
security software system further provides a history 
repository, such that said history repository is stored by said 
network vault security software system on said hardware 
storage device. 

10. The system of claim 9, wherein said history repository 
includes records of all access attempts to said data, such that 
each said record cannot be deleted from said history reposi- 
tory for a predetermined period of time. 

11. The system of claim 9, wherein said history repository 
includes all versions of said data, such that each said data 
version cannot be deleted from said history repository for a 
predetermined period of time. 

12. The system of claim 9, wherein said history repository 
is continuously updated and changes in said history deposi- 
tory arc automatically sent as alerts to all relevant users, 
such that no periodic polling of the system is required. 

13. The system of claim 1, wherein said server software 
mechanism further comprises: 

(1) a network interface for communicating with said client 
software, said network interface receives packets from 
said network and sends packets to said network; and 

(2) a packet filter for forming said single data access 
channel in combination with said network interface, 
said packet filter filtering said packets received from 
said network according to a destination address, such 
that if said packets do not feature said destination 
address, said packets are dropped. 

14. The system of claim 13, wherein said destination 
address includes a network address of said dedicated server 
computer. 

15. The system of claim 13, wherein said destination 
address includes a transport address of said network vault 
security software system. 

16. The system of claim 13, wherein said server software 
further comprises: 

(3) a transaction gateway software module for receiving 
said packets from said packet filter and for receiving 
said data from said network vault; and; 

(4) an encryption software module for decrypting said 
packets received by said transaction gateway software 
module and for encrypting said data received by said 
transaction gateway software module. 

17. The system of claim 13, wherein said server software 
further comprises: 

(5) a transaaion manager software module for receiving 
said decrypted packets from said transaction gateway 
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software module and for determining at least one 
access request to access said data in said network vault 
from said decrypted packets. 

18. The system of claim 13, wherein said scrvei software 
further comprises: 

(6) a security module for determining if said al least one 
access request to access said data in said network vault 
by said user is permitted. 

19. The system of claim 18, wherein said security module 
determines if said at least one access request is permitted, 
according to said access control security layer of said 
network vault security software system. 

20. The system of claim 13, wherein said server software 
further comprises: 

(7) a unique file system for organizing said data on said 
hardware storage device according to a unique 
organization, such that said data is accessible only 
according to said imique organization. 

21. The system of claim 20 wherein said data is organized 20 
as a plurality of clusters such that a logical order of said 
plurality of clusters on said network vault differs from a 
physical order of said plurahty of clusters on said hardware 
storage device, and wherein said server software further 
comprises: 

(8) a unique file system mapping table to map said logical 
order of said plurality of clusters on said network vault 
to said physical order of said plurality of clusters on 
said hardware storage device; and 

(9) a virtual disk driver for accessing said data through 
said unique file system according to at least one data 
access request, said virtual disk driver accessing said 
data only if said at least one data access request 
contains a logical address for at least one of said 35 
plurality of clusters matching a physical address for 
said at least one of said plurality of clusters, according 

to said unique file system mapping table. 

22. The system of claim 21, wherein said unique file 
system mapping table is stored on a removable storage ^ 
medium external to said hardware storage device, such that 
when said removable storage medium is removed, said 
logical order of said plurality of clusters remains unknown. 

23. The system of claim 1, wherein said single data access 
channel fiirther comprises: 

a. a system hook for preventing any additional software 
code from being operated by said dedicated server 
computer, to prevent installation and execution of a 
rogue software program for accessing said data; and 

b. a packet filter which acts as a gatekeeper for said single 
data access channel, said packet filter blocks any com- 
munication with said dedicated server computer other 
then communication with said security software 
system, such that incoming packets are permitted only 
if said packets are targeted to said security software 
system on said dedicated server computer, and such 
that outgoing packets are permitted only if said packets 
are being sent from said security software system on 
said dedicated server computer. 

24. The system of claim 1, wherein said network connects 
at least one additional user computer to the secured data 
storage and data utilization system, said additional user 
computer being operated by at least one additional user, such 65 
that said additional user is authenticated by said authenti- 
cation security layer, said user and said additional user are 
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permitted access to said data in said network vault according 
to said access control security layer, such that said user and 
said additional user securely exchange data through said 
network vault, without requiring communication between 
said user computer and said additional user computer. 

25. The system of claim 24, wherein at least one user is 
notified by said network vault security software system 
when said at least one additional user accesses said data on 
said network vault. 

26. The system of claim 24, wherein at least one user is 
immediately notified by said network vauh when said addi- 
tional user accesses said data of said network vault, such that 
no periodic polling of the system is required. 

27. The system of claim 1, wherein the system further 
comprises: 

a. an additional network for connecting at least one 
additional user to the secured data storage and data 
utilization system, such that at least one additional user 
computer is coimected to said additional network, said 
additional user computer being operated by an addi- 
tional user, said additional user is authenticated by said 
authentication security layer, said user and said addi- 
tional user arc permitted access to said data in said 
network vault according to said access control security 
layer, wherein said packet filter firewall prevents any 
packet exchange between said network and said addi- 
tional network, such that said user and said additional 
user securely exchange data through said network 
vault, without requiring communication between said 
network and said additional network. 

28. The system of claim 1, wherein said client software 
further comprises: 

(A) a limited API (application programming interface) for 
interacting with said server software, such that only 
said API interacts with said server software, said API 

. providing at least one service for accessing said data, 
such that said access to said data is provided through 
said single data access channel; and 

(B) at least one user software program for interacting with 
said user and said API to access said data. 

29. The system of claim 1, wherein said client software 
further comprises: 

(C) a RAM (random access memory) disk for receiving 
said data from said server software and for temporarily 
storing said data. 

30. The system of claim 1, wherein said cUent software 
further comprises: 

(D) a data replicator software module for providing data 
rcphcation between at least two network vault systems, 
for providing higher availability of said data stored on 
said at least two network vault systems. 

31. The system of claim 1, wherein said chent software 
fiirther comprises: 

(E) a data splitter software module for spUtting at least 
one file between at least two network vault systems, 
such that said file is mathematically split into a plurality 
of parts, such that each said part is meaningless without 
all other said parts of said file, such that each said part 
is stored on a different said network vault system, such 
that access to said file requires all said parts of said file 
from said at least two network vault systems. 

32. The system of claim 31, wherein said data splitter 
software module further comprises the steps of: 
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(a) produciDg a plurality of pseudorandom bytes corre- 
sponding to a length of said at least one file; 

(b) performing a reversible mathematical operation on 
said plurality of pseudorandom bytes and said at least 
one file to obtain a resultant file combination; and 

(c) storing said resultant file combination and said phj- 
rality of pseudorandom bytes on dififcrcnt said network 



22 



vault systems, such that said at least one file is acces- 
sible only if said at least one file is obtained said 
resultant file combination and said plurality of pseu- 
dorandom bytes, according to said reversible math- 
ematical operation. 
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